WordPress Plugin Vulnerabilities

360 Javascript Viewer < 1.7.13 - Missing Authorization to Plugin Settings Update

Description

The 360 Javascript Viewer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and nonce exposure on several AJAX actions in all versions up to, and including, 1.7.12. This makes it possible for authenticated attackers, with subscriber access or higher, to update plugin settings.

Affects Plugins

Plugin icon
360deg-javascript-viewer
Fixed in 1.7.13

References

CVE
CVE-2024-1637
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ba33c84-5198-4c77-8995-d0a315d68990

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
e780a089-1968-48ae-ad19-2a54dc25c1ce

Timeline

Publicly Published
2024-03-21 (about 2 years ago)
Added
2024-03-21 (about 2 years ago)
Last Updated
2024-03-21 (about 2 years ago)

Other

Published
Title
Published
2025-05-24
Title
Visual Header < 1.5 - Missing Authorization
Published
2026-02-17
Title
EventPrime < 4.2.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter
Published
2025-12-31
Title
Serial Codes Generator and Validator with WooCommerce Support < 2.8.3 - Missing Authorization
Published
2025-06-05
Title
WordLift <= 3.54.5 - Missing Authorization
Published
2024-08-09
Title
EventPrime < 4.0.4.0 - Missing Authorization via calendar_event_create()